Common subdirectories: nmap-3.10ALPHA6/docs and nmap-3.10ALPHA6-multipletcp/docs
diff -U3 nmap-3.10ALPHA6/idle_scan.cc nmap-3.10ALPHA6-multipletcp/idle_scan.cc
--- nmap-3.10ALPHA6/idle_scan.cc	2002-09-15 20:54:43.000000000 -0600
+++ nmap-3.10ALPHA6-multipletcp/idle_scan.cc	2002-12-19 08:49:11.000000000 -0700
@@ -265,7 +265,7 @@
     if (*q==0 || !endptr || *endptr != '\0' || !proxy->probe_port) {
       fatal("Invalid port number given in IPID zombie specification: %s", proxyName);
     }
-  } else proxy->probe_port = o.tcp_probe_port;
+  } else proxy->probe_port = o.tcp_probe_port[0];
 
   proxy->host.setHostName(name);
   if (resolve(name, &ss, &sslen, o.pf()) == 0) {
Common subdirectories: nmap-3.10ALPHA6/libpcap-possiblymodified and nmap-3.10ALPHA6-multipletcp/libpcap-possiblymodified
Common subdirectories: nmap-3.10ALPHA6/mswin32 and nmap-3.10ALPHA6-multipletcp/mswin32
Common subdirectories: nmap-3.10ALPHA6/nbase and nmap-3.10ALPHA6-multipletcp/nbase
diff -U3 nmap-3.10ALPHA6/nmap.cc nmap-3.10ALPHA6-multipletcp/nmap.cc
--- nmap-3.10ALPHA6/nmap.cc	2002-12-16 17:29:44.000000000 -0700
+++ nmap-3.10ALPHA6-multipletcp/nmap.cc	2002-12-19 08:56:47.000000000 -0700
@@ -472,23 +472,27 @@
       else if (*optarg == 'S') {
 	o.pingtype |= (PINGTYPE_TCP|PINGTYPE_TCP_USE_SYN);
 	if (isdigit((int) *(optarg+1)))
-	  o.tcp_probe_port = atoi(optarg+1);
+	  getprobepts(optarg+1);
       }
       else if (*optarg == 'T' || *optarg == 'A') {
 	o.pingtype |= (PINGTYPE_TCP|PINGTYPE_TCP_USE_ACK);
 	if (isdigit((int) *(optarg+1)))
-	  o.tcp_probe_port = atoi(optarg+1);
+	  getprobepts(optarg+1);
       }
       else if (*optarg == 'B') {
 	o.pingtype = (PINGTYPE_TCP|PINGTYPE_TCP_USE_ACK|PINGTYPE_ICMP_PING);
 	if (isdigit((int) *(optarg+1)))
-	  o.tcp_probe_port = atoi(optarg+1);
+	  getprobepts(optarg+1);
       }
       else { 
 	fatal("Illegal Argument to -P, use -P0, -PI, -PB, -PM, -PP, -PT, or -PT80 (or whatever number you want for the TCP probe destination port)"); 
       }
-      if ((o.pingtype & PINGTYPE_TCP) && o.tcp_probe_port != DEFAULT_TCP_PROBE_PORT)
-	log_write(LOG_STDOUT, "TCP probe port is %hu\n", o.tcp_probe_port);	
+      if ((o.pingtype & PINGTYPE_TCP) && (o.num_probe_ports != 1 || o.tcp_probe_port[0] != DEFAULT_TCP_PROBE_PORT)) {
+	log_write(LOG_STDOUT, "TCP probe port(s):");
+	for( int i=0; i<o.num_probe_ports; ++i )
+	  log_write(LOG_STDOUT, " %hu", o.tcp_probe_port[i]);
+	log_write(LOG_STDOUT, " (only first one used in connect scan!)\n");
+      }
       break;
     case 'p': 
       if (ports)
@@ -1061,6 +1065,33 @@
     }
 }
 
+/* Convert a comma-separated list of ports into an array, and store it
+   in o.tcp_probe_port[]; This is a simplified version of getpts() below */
+void getprobepts(char *expr) {
+  char *current_range;
+  char *endptr;
+  long port;
+
+  o.num_probe_ports = 0;
+  current_range = expr;
+  do {
+    if( !isdigit((int) *current_range) ) {
+      fatal("Error #486: Your port specifications are illegal.  Example of proper form: \"20,80,65532\"");
+    }
+    port = strtol(current_range, &endptr, 10);
+    if( port <= 0 || port > 65535 ) {
+      fatal("Probe ports must be between 1 and 65535 inclusive");
+    }
+    if( o.num_probe_ports >= MAX_PROBE_PORTS ) {
+      fatal("Limit on number of probe ports (%d) exceeded", MAX_PROBE_PORTS);
+    }
+    o.tcp_probe_port[o.num_probe_ports++] = port;
+    current_range = endptr;
+    if( *current_range ==',' )
+      current_range++;
+  } while( current_range && *current_range);
+}
+
 /* Convert a string like "-100,200-1024,3000-4000,60000-" into an array 
    of port numbers. Note that one trailing comma is OK -- this is actually
    useful for machine generated lists */
Common subdirectories: nmap-3.10ALPHA6/nmapfe and nmap-3.10ALPHA6-multipletcp/nmapfe
diff -U3 nmap-3.10ALPHA6/nmap.h nmap-3.10ALPHA6-multipletcp/nmap.h
--- nmap-3.10ALPHA6/nmap.h	2002-12-17 12:40:05.000000000 -0700
+++ nmap-3.10ALPHA6-multipletcp/nmap.h	2002-12-19 08:57:55.000000000 -0700
@@ -208,6 +208,7 @@
 #ifndef DEBUGGING
 #define DEBUGGING 0
 #endif
+#define MAX_PROBE_PORTS 10     /* How many TCP probe ports are allowed ? */
 /* Default number of ports in parallel.  Doesn't always involve actual 
    sockets.  Can also adjust with the -M command line option.  */
 #define MAX_SOCKETS 36 
@@ -391,6 +392,7 @@
 int ftp_anon_connect(struct ftpinfo *ftp);
 
 /* port manipulators */
+void getprobepts(char *expr);
 struct scan_lists *getpts(char *expr); /* someone stole the name getports()! */
 int getidentinfoz(struct in_addr target, u16 localport, u16 remoteport,
 		  char *owner, int ownersz);
diff -U3 nmap-3.10ALPHA6/NmapOps.cc nmap-3.10ALPHA6-multipletcp/NmapOps.cc
--- nmap-3.10ALPHA6/NmapOps.cc	2002-10-23 02:51:57.000000000 -0600
+++ nmap-3.10ALPHA6-multipletcp/NmapOps.cc	2002-12-19 08:58:39.000000000 -0700
@@ -126,7 +126,8 @@
   reference_FPs = NULL;
   magic_port = 33000 + (get_random_uint() % 31000);
   magic_port_set = 0;
-  tcp_probe_port = DEFAULT_TCP_PROBE_PORT;
+  num_probe_ports = 1;
+  tcp_probe_port[0] = DEFAULT_TCP_PROBE_PORT;
   max_parallelism = 0;
   min_parallelism = 0;
   max_rtt_timeout = MAX_RTT_TIMEOUT;
diff -U3 nmap-3.10ALPHA6/NmapOps.h nmap-3.10ALPHA6-multipletcp/NmapOps.h
--- nmap-3.10ALPHA6/NmapOps.h	2002-10-23 02:51:57.000000000 -0600
+++ nmap-3.10ALPHA6-multipletcp/NmapOps.h	2002-12-19 08:59:21.000000000 -0700
@@ -89,7 +89,8 @@
   FingerPrint **reference_FPs;
   u16 magic_port;
   unsigned short magic_port_set; /* Was this set by user? */
-  u16 tcp_probe_port;
+  int num_probe_ports;
+  u16 tcp_probe_port[MAX_PROBE_PORTS];
 
   /* Scan timing/politeness issues */
   int max_parallelism; // 0 means it has not been set
diff -U3 nmap-3.10ALPHA6/targets.cc nmap-3.10ALPHA6-multipletcp/targets.cc
--- nmap-3.10ALPHA6/targets.cc	2002-12-17 01:45:27.000000000 -0700
+++ nmap-3.10ALPHA6-multipletcp/targets.cc	2002-12-19 09:12:49.000000000 -0700
@@ -446,11 +446,13 @@
 			 seq, id, &ss, time, pingtype, ptech);
        
 	 if (ptech.rawtcpscan) {
-	   sendrawtcppingquery(rawsd, hostbatch[hostnum],  pingtype, seq, 
-			       time, &pt);
+	   /* multiple ports probed when doing raw tcp ping */
+	   for( int i=0; i<o.num_probe_ports; i++ )
+	     sendrawtcppingquery(rawsd, hostbatch[hostnum],  pingtype, o.tcp_probe_port[i], seq, time, &pt);
 	 }
 	 else if (ptech.connecttcpscan) {
-	   sendconnecttcpquery(hostbatch, &tqi, hostbatch[hostnum], seq, time, &pt, &to, max_width);
+	   /* still only one port probed for connect tcp */
+	   sendconnecttcpquery(hostbatch, &tqi, hostbatch[hostnum], o.tcp_probe_port[0], seq, time, &pt, &to, max_width);
 	 }
 	 pt.block_unaccounted++;
 	 gettimeofday(&t2, NULL);
@@ -513,7 +515,7 @@
 }
 
 int sendconnecttcpquery(Target *hostbatch[], struct tcpqueryinfo *tqi,
-			Target *target, int seq, 
+			Target *target, u16 probe_port, int seq, 
 			struct timeval *time, struct pingtune *pt, 
 			struct timeout_info *to, int max_width) {
 
@@ -560,9 +562,9 @@
     fatal("Unable to get target sock in sendconnecttcpquery");
 
   if (sin->sin_family == AF_INET)
-    sin->sin_port = htons(o.tcp_probe_port);
+    sin->sin_port = htons(probe_port);
 #if HAVE_IPV6
-  else sin6->sin6_port = htons(o.tcp_probe_port);
+  else sin6->sin6_port = htons(probe_port);
 #endif //HAVE_IPV6
   
   res = connect(tqi->sockets[seq],(struct sockaddr *)&sock, socklen);
@@ -590,7 +592,7 @@
 return 0;
 }
 
-int sendrawtcppingquery(int rawsd, Target *target, int pingtype, 
+int sendrawtcppingquery(int rawsd, Target *target, int pingtype, u16 probe_port,
 			int seq, struct timeval *time, struct pingtune *pt) {
 int trynum;
 int myseq;
@@ -604,10 +606,10 @@
  myseq = (get_random_uint() << 19) + (seq << 3) + 3; /* Response better end in 011 or 100 */
  o.decoys[o.decoyturn].s_addr = target->v4source().s_addr;
  if (pingtype & PINGTYPE_TCP_USE_SYN) {   
-   send_tcp_raw_decoys( rawsd, target->v4hostip(), sportbase + trynum, o.tcp_probe_port, myseq, myack, TH_SYN, 0, NULL, 0, o.extra_payload, 
+   send_tcp_raw_decoys( rawsd, target->v4hostip(), sportbase + trynum, probe_port, myseq, myack, TH_SYN, 0, NULL, 0, o.extra_payload, 
 			o.extra_payload_length);
  } else {
-   send_tcp_raw_decoys( rawsd, target->v4hostip(), sportbase + trynum, o.tcp_probe_port, myseq, myack, TH_ACK, 0, NULL, 0, o.extra_payload, 
+   send_tcp_raw_decoys( rawsd, target->v4hostip(), sportbase + trynum, probe_port, myseq, myack, TH_ACK, 0, NULL, 0, o.extra_payload, 
 			o.extra_payload_length);
  }
 
@@ -753,7 +755,7 @@
 //		  case WSAENOTCONN:	//	needed?  this fails around here on my system
 #endif
 		if (errno == EAGAIN && o.verbose) {
-		  log_write(LOG_STDOUT, "Machine %s MIGHT actually be listening on probe port %d\n", hostbatch[hostindex]->targetipstr(), o.tcp_probe_port);
+		  log_write(LOG_STDOUT, "Machine %s MIGHT actually be listening on probe port %d\n", hostbatch[hostindex]->targetipstr(), o.tcp_probe_port[0]);
 		}
 		foundsomething = 1;
 		newstate = HOST_UP;	
@@ -781,11 +783,11 @@
 		if (res2 == 0)
 		  log_write(LOG_STDOUT, "Machine %s is actually LISTENING on probe port %d\n",
 			 hostbatch[hostindex]->targetipstr(), 
-			 o.tcp_probe_port);
+			 o.tcp_probe_port[0]);
 		else 
 		  log_write(LOG_STDOUT, "Machine %s is actually LISTENING on probe port %d, banner: %s\n",
 			 hostbatch[hostindex]->targetipstr(), 
-			 o.tcp_probe_port, buf);
+			 o.tcp_probe_port[0], buf);
 	      }
 	    }
 	    if (foundsomething) {
diff -U3 nmap-3.10ALPHA6/targets.h nmap-3.10ALPHA6-multipletcp/targets.h
--- nmap-3.10ALPHA6/targets.h	2002-08-27 15:43:23.000000000 -0600
+++ nmap-3.10ALPHA6-multipletcp/targets.h	2002-12-19 09:13:50.000000000 -0700
@@ -113,9 +113,9 @@
 int sendpingquery(int sd, int rawsd, Target *target,  
 		  int seq, unsigned short id, struct scanstats *ss, 
 		  struct timeval *time, int pingtype, struct pingtech ptech);
-int sendrawtcppingquery(int rawsd, Target *target, int pingtype,
+int sendrawtcppingquery(int rawsd, Target *target, int pingtype, u16 probe_port,
 			int seq, struct timeval *time, struct pingtune *pt);
-int sendconnecttcpquery(Target *hostbatch[], struct tcpqueryinfo *tqi, Target *target, 
+int sendconnecttcpquery(Target *hostbatch[], struct tcpqueryinfo *tqi, Target *target, u16 probe_port,
 			int seq, struct timeval *time, struct pingtune *pt, struct timeout_info *to, int max_width);
 int get_connecttcpscan_results(struct tcpqueryinfo *tqi, 
 			       Target *hostbatch[],